1.10.2 Credential Management

Going beyond Encryption, explicit credential management will provide credentials to your builds for a brief amount of time, without being persisted anywhere. It also allows for credentials to be rotated and managed external to the pipeline or team, and prevents them from being revealed by fly get-pipeline.

Credential management works by replacing the credentials with ((vars)) in your pipeline or task config. When the Concourse is about to run the step or check that is configured with vars, it will resolve them by fetching the values from the credential manager. If the values are not present, the action will error.

The following configurations can be parameterized with a credential manager:

Where these values are looked up and how the credential manager is configured depends on the backend. Consult the relevant section below for whichever backend you want to use.

Concourse currently supports the following credential managers:

  1. 1.10.2.1 The Vault credential manager
  2. 1.10.2.2 The CredHub credential manager
  3. 1.10.2.3 The AWS SSM credential manager
  4. 1.10.2.4 The AWS Secrets Manager credential manager
  5. 1.10.2.5 Kubernetes Credential Manager

Common Configuration Parameters

When a request to the credential manager fails due to an intermittent error (e.g. a timeout or connection refused), Concourse will automatically try the request again up to 5 times before giving up. After all attempts fail, the error will be surfaced in the UI for the resource check or build step that initiated the request.

The retry logic can be configured by specifying the following env on the web node:

CONCOURSE_SECRET_RETRY_ATTEMPTS=5   # how many times to try
CONCOURSE_SECRET_RETRY_INTERVAL=10s # how long to wait between attempts

By default, credentials are fetched each time they're used. This can add up when many pipelines are configured, resulting in a ton of requests to the credential manager.

To reduce load on your credential server you may want to enable caching by setting the following env on the web node:

CONCOURSE_SECRET_CACHE_ENABLED=true

By default, credentials will be cached for one minute at a time. This value can be increased to further reduce load on the server like so:

CONCOURSE_SECRET_CACHE_DURATION=5m # increase from 1m default

Credential cache duration can also determined by the credential manager itself - for example, if Vault returns a lease duration for a credential, the shorter value between the configured cache duration and the credential's lease duration will be used.